...
The eduroam was designed for minimal disclosure of end users personal data following the requirement that user must be authenticated by his/hers IdP. The design of the system provides and favours the end user anonymization, i.e., the possibility to hide the end user’s identity from any third parties, including providers of eduroam network access (SPs). eduroam technical foundations have a built-in support for end user privacy throughout the authentication process. For all intermediate services, like routing of authentication requests and F-ticks (log format for distributed federations), the service is designed to know *nothing* about the actual identity of an end user, while still maintaining log traces which allow for resolving security incidents, debugging, monitoring and usage statistics.
To view the general Privacy Notice for GÉANT, please visit the GÉANT website.
Why We Process Personal Data
...
We also collect data related to NROs, IdPS and SPs to enable supporting services and improve incident response and user support.. Access to the data collected in the eduroam database and other supporting services which is considered private is limited (via authentication mechanism based on eduGAIN) to responsible personel personnel of GEANT and NROs.
What Personal Data We Process
...
- When you roam and visit other countries, the European proxy servers will receive and log the following data: your realm (denoting your institution and federation) and MAC addresses. We can also receive your username if you have not chosen to anonymise this data. When you roam to another institution within your home country we don’t receive any data because the European proxy servers are not included in that process. The service has a legitimate interest in processing this information.
- When you roam and visit other countries or other institutions within your federation we may also process for monitoring, measuring and reporting services, in addition to the data mentioned above, the data about visited country, visited institution and authentication outcome. The service has a legitimate interest in processing this information.
- As part of supporting activities we maintain several public web sites (e.g. web of CAT service) where we collect normal web server logs, i.e. timestamp of access, IP address which requested the page, the page being requested, the HTML result code, etc. The data collected is for the purpose of troubleshooting and debugging potential problems of with eduroam web servers and therefore the service has a legitimate interest in processing this information.
- The eduroam Operational Team maintains a database where we collect data related to NROs, IdPS and SPs to enable supporting services and improve incident response and user support. The data is provided by the NROs based on the eduroam Policy.
- To ensure proper functioning of the eduroam Configuration Assistant Tool (CAT) we collect the identifers and e-mail addresses of the NRO and IdP admins responsible for the configurations that will be used be the end users. The service has a legitimate interest in processing this information.
...
- Minimisation of personal data we collect;
- Managing, limiting and controlling access to personal data;
- Resilience of processing systems and services;
- Regular testing of the effectiveness of measures implemented.
Your Rights
You have the following rights:
...
right to ensure:
- We process your data fairly and lawfully;
- Your data is accurate (to rectify data released by your home organisation, please contact directly);
- The data we collect is not excessive but only the data we require to provide the service;
- Your data is secure;
- Your personal data is securely destroyed when no longer required
You also have the right to ask what personal data we hold about you, and to complain to the Supervisory Authority (Autoriteit Persoonsgegevens at https://autoriteitpersoonsgegevens.nl) about our data processing activities
...
To view the general Privacy Notice for GÉANT, please visit the GÉANT website. if you feel your data is not being managed as described here.
Contact Information
Data Controller and Contact | Data Protection Officer GÉANT Association |
Jurisdiction | Netherlands Dutch Data Protection Authority |
...